trufflehog:ignore - buildkite - gh action

[sean-simmons-progress]

Please review the Community Note before submitting

TruffleHog Version

Status: Downloaded newer image for ghcr.io/trufflesecurity/trufflehog:latest
gh action: trufflehog 3.88.15

Trace Output

https://gist.github.com/sean-simmons-progress/d62a2103910865f54fd3c1f399d32641

Expected Behavior

With the tufflehog:ignore set on any line, it should skip that line correct?

Actual Behavior

It fails the PR because its claiming that the secret is unverified. Its not even a secret, this is a git commit sha thats used to checkout a specific version of a plugin:

EX:

  - foo-bar:
      valuebool: true
      fileDefinitio: .pathtoFile.yml
      env:
        - PLUGIN_TOOL: e5637ca1ed34a227eba86ae30761010f308b2d1b

even when setting the ignore value, it still fails:

  - foo-bar:
      valuebool: true
      fileDefinitio: .pathtoFile.yml
      env:
        - PLUGIN_TOOL: e5637ca1ed34a227eba86ae30761010f308b2d1b #tufflehog:ignore 

https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/about-commits#about-commits

Steps to Reproduce

Setup a trufflehog action
add a line on any file that allows lines with #tufflehog:ignore - that contains a test secret
commit it back to source
open a PR
run the action against the PR.

it should fail the PR.

Additional Context

in order to fix this I have to pass a: --exclude-detectors="Buildkite" in the extra_args:

name: trufflehog secret scan
on:
  workflow_dispatch:
  pull_request:
    branches: [ main ]

jobs:
  TruffleHog:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: TruffleHog secret scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --log-level=5 --exclude-detectors="Buildkite"
        continue-on-error: false

References

• #0000